OpenSSL is the default TLS backend for many programming language stacks. Its behavior therefore determines how TLS verification works by default, unless the technology stack is compiled with a different backend (e.g. schannel).
On macOS, when OpenSSL is used in a TLS proxy environment, you may encounter the frustrating problem that TLS connections work for some users and not for others. This is because when OpenSSL is installed from Homebrew, it does something fragile to obtain TLS certificates:
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
/usr/local/etc/openssl@1.1/certs
and run
/usr/local/opt/openssl@1.1/bin/c_rehash
This means that if you brew install opensslafter putting your custom TLS certificate in the Keychain, it will see it, copy it out, and then programs built on OpenSSL will appear to work - even though you never copied the certificate to /etc/ssl yourself.
But if you brew install opensslbefore putting your custom TLS certificate in the Keychain, it won't see it, and programs built on OpenSSL will fail to make TLS connections.
(And if you obtain OpenSSL not from Brew, then it won't sense your custom certificate either.)
OpenSSL is the default TLS backend for many programming language stacks. Its behavior therefore determines how TLS verification works by default, unless the technology stack is compiled with a different backend (e.g. schannel).
On macOS, when OpenSSL is used in a TLS proxy environment, you may encounter the frustrating problem that TLS connections work for some users and not for others. This is because when OpenSSL is installed from Homebrew, it does something fragile to obtain TLS certificates:
This means that if you
brew install opensslafter putting your custom TLS certificate in the Keychain, it will see it, copy it out, and then programs built on OpenSSL will appear to work - even though you never copied the certificate to /etc/ssl yourself.But if you
brew install opensslbefore putting your custom TLS certificate in the Keychain, it won't see it, and programs built on OpenSSL will fail to make TLS connections.(And if you obtain OpenSSL not from Brew, then it won't sense your custom certificate either.)